search

kubernetes / cloud-provider-aws

Cloud provider for AWS
https://cloud-provider-aws.sigs.k8s.io/
Apache License 2.0
395 stars 302 forks source link

[feat] ecr-credential-provider support to authenticate public registries #603

Closed mmerkes closed 1 year ago

mmerkes commented 1 year ago

What type of PR is this? /kind feature

What this PR does / why we need it: ecr-credential-provider can now authenticate public registries, which allows users to access larger ECR data transfer limits. See #602 for more details. This will not work outside of the aws partition as the ECR public endpoint is only in us-east-1 and it requires IAM authentication.

To enable this, you may need a couple of changes in your nodes:

  1. Add public.ecr.aws to matchImages in your CredentialProviderConfig. See below for an example.
  2. The node IAM policy needs ecr-public:GetAuthorizationToken and sts:GetServiceBearerToken permissions. See below for an example policy.
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ecr-public:GetAuthorizationToken",
                "sts:GetServiceBearerToken"
            ],
            "Resource": "*"
        }
    ]
}

Which issue(s) this PR fixes:

Fixes #602

Special notes for your reviewer:

For testing, I created a 1.26 EKS cluster with an AL2 nodegroup in us-west-2, built the ecr-credential-provider, uploaded to the nodes and used the below image credential provider config:

{
  "apiVersion": "kubelet.config.k8s.io/v1",
  "kind": "CredentialProviderConfig",
  "providers": [
    {
      "name": "ecr-credential-provider",
      "matchImages": [
        "public.ecr.aws",
        "*.dkr.ecr.*.amazonaws.com",
        "*.dkr.ecr.*.amazonaws.cn",
        "*.dkr.ecr-fips.*.amazonaws.com",
        "*.dkr.ecr.us-iso-east-1.c2s.ic.gov",
        "*.dkr.ecr.us-isob-east-1.sc2s.sgov.gov"
      ],
      "defaultCacheDuration": "12h",
      "apiVersion": "credentialprovider.kubelet.k8s.io/v1"
    }
  ]
}

I deployed the EKS sample app and verified the following:

  1. pods came up
  2. GetAuthorizationToken to private ECR registry endpoint showed up in us-west-2
  3. GetAuthorizationToken to public ECR registry endpoint showed up in us-east-1
  4. Images were successfully downloaded

Does this PR introduce a user-facing change?:

`ecr-credential-provider` supports authenticating for ECR public registries.
k8s-ci-robot commented 1 year ago

This issue is currently awaiting triage.

If cloud-provider-aws contributors determine this is a relevant issue, they will accept it by applying the triage/accepted label and provide further guidance.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes/test-infra](https://github.com/kubernetes/test-infra/issues/new?title=Prow%20issue:) repository.
k8s-ci-robot commented 1 year ago

Hi @mmerkes. Thanks for your PR.

I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes/test-infra](https://github.com/kubernetes/test-infra/issues/new?title=Prow%20issue:) repository.
olemarkus commented 1 year ago

/ok-to-test

dims commented 1 year ago

cc @jlbutler

dims commented 1 year ago

/approve

nckturner commented 1 year ago

/lgtm /approve

k8s-ci-robot commented 1 year ago

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: dims, nckturner

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files: - ~~[OWNERS](https://github.com/kubernetes/cloud-provider-aws/blob/master/OWNERS)~~ [dims,nckturner] Approvers can indicate their approval by writing `/approve` in a comment Approvers can cancel approval by writing `/approve cancel` in a comment